When Cyber Space Meets the Real World

Although many Americans may reasonably assume that the federal government will handle the response to most cyber incidents, the reality is often quite different. During a conference held at Georgetown University in April 2013, Michael Daniel, cybersecurity coordinator at the White House, suggested that the emergency management model be applied to cope with most cyber incidents. Adoption of this approach would generally dictate that the responses to most such emergencies would be managed primarily at the local and state levels, unless authorities at those levels are unable to adequately respond.

If the emergency management model is applied, the responsibility for dealing with a cyber incident would fall principally on local authorities. Therefore, they must ensure that they are adequately prepared to cope with such incidents within their own jurisdictions.

For all types of emergencies, the success of the response depends not only on the practical expertise and capabilities of the first responders, but also on their ability to work together effectively. In dealing with cyber incidents, local and state emergency responders must also have strong working relationships with their information technology (IT) counterparts. Currently, those relationships often either do not exist or need to be reinforced. If the responsibility of managing a cyber incident falls primarily on them, then local and state jurisdictions must find better ways of establishing the necessary relationships between and among their own emergency managers and IT professionals. Doing so would ensure effective responses to an ever-increasing threat.

Managing Cyber Threats: COOP Planning & Cooperative Skills

The technical aspects of a cyber incident may tempt at least some emergency managers to hand off the response efforts to the IT professionals involved. In that context, however, it is important to consider Daniel’s assertion – at the Georgetown conference mentioned above – that a cyber incident may be managed in ways similar to those applicable to any other type of emergency. This approach would be particularly true considering the fact that real-world power outages, traffic disruptions, and/or critical infrastructure failures could possibly result from a single attack within cyber space.

Basic emergency response principles should not be neglected when faced with a cyber incident. The Incident Command System (ICS) is still applicable when coordinating a response to a cyber incident. Continuity of Operations (COOP) planning also is vital when a cyber disruption occurs. Well-designed COOP plans not only are applicable to all types of hazards, but also will allow the organizations and agencies involved to continue their essential functions during any type of emergency. In that context, it is irrelevant with respect to the COOP plan if an IT system outage was caused by a natural disaster, a power outage, or a cyber attack – because the plan itself would define the backup capabilities that will be needed until normal operations can be restored.

The most important distinction, however, between cyber incidents and other types of emergencies lies in the technical expertise required to recover from the incident and to restore normal operations. The response to and/or recovery from a cyber incident would be nearly impossible without the collaborative skills and services of: (a) IT professionals to provide the technical expertise required to recover and restore the systems directly affected; and (b) emergency managers to coordinate the response and deploy the human and material resources needed to achieve that goal.

Without clearly defined roles and expectations, it would be difficult for emergency managers and IT professionals to coordinate their efforts. Although IT professionals may have developed and promulgated robust data and system recovery plans, they nonetheless may be unaware of certain emergency response principles related to ICS and/or continuity planning. Similarly, emergency managers often do not possess the technical expertise needed to understand the requirements and procedures postulated for restoring IT capabilities – and, therefore, may have unrealistic expectations as to the probable recovery time.

Bringing Together All the Pieces

The first step toward bridging the current gap between emergency managers and IT professionals is to engage them in joint training. Programs such as the Federal Emergency Management Agency’s Resilient Accord Workshop, which addresses emergency management and continuity planning considerations in response to cyber incidents, are immensely helpful. One of the principal goals of the workshop is to bring together emergency managers and IT professionals to establish and/or enhance the working relationships between the two disciplines. By better informing each side about the other’s roles, responsibilities, and capabilities, emergency managers themselves will become better equipped to coordinate the response – and the IT professionals involved will become more fully integrated into the response.

Fortunately, some U.S. jurisdictions are already going a step further and actively encouraging such collaboration. A number of New England states, for example, have established “Cyber Disruption Teams” consisting of representatives from the emergency management, information technology, and public safety communities. These teams are deployed with members who have not only been cross-trained but also have: (a) completed introductory courses on incident command and information risk management; and (b) gained practical experience through workshops similar to the FEMA Resilient Accord. These training sessions help familiarize team members with emergency management and IT concepts so that, during future responses to a cyber incident, all parties will use the common terminology and possess the same understanding of the sometimes complex issues involved.

By working more closely with the IT community and developing more effective working relationships, emergency managers will gain a clearer understanding of not only the extent and ramifications of the incident, but also of the human and material requirements and resources needed for a successful recovery. In short, a mutual understanding must be developed and sustained in every local jurisdiction throughout the nation to effectively prepare for, respond to, and recover from cyber incidents. The success of any emergency response is founded on the same type of strong relationships.